Hello,
I am using X2Go under Debian with Openbox. I have upgraded to Debian Buster, I didn't use to experiment the problem below with Debian Stretch. My problem is about running graphical clients (like xeyes, xterm, gvim, etc.) from a console logged in either as a "simple" user ("user_2" below) or as "root". "user_2" cannot run these clients, "root" can. I would like both of them to be able to run these clients. Below, is what happens ("user_1" is the user that started the X2Go session, it is also a "simple" user).
user_1> su user_2 Password: No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'
user_2> exit
user_1> su Password: root> xeyes <OK>
Can you tell me how to allow "user_1" to run graphical clients like xeyes, xterm, gvim, etc.?
Best regards,
Léa
You are switching users without passing the display authorization cookie. The easiest way to achieve this is probably using ssh: instead of executing "su user_2" call "ssh -X user_2@localhost".
The problem is access to the xauthority file of user_1 (the path is stored in the XAUTHORITY environment, usually /home/user_1/.Xauthority.). This file contains the cookie you need to access the display. As user_2 you are not allowed to read that file while as user root you can read it.
Uli
On Fri, Dec 27, 2019 at 3:45 PM Lmhelp1 <lmhelp1@orange.fr> wrote:
Hello,
I am using X2Go under Debian with Openbox. I have upgraded to Debian Buster, I didn't use to experiment the problem below with Debian Stretch. My problem is about running graphical clients (like xeyes, xterm, gvim, etc.) from a console logged in either as a "simple" user ("user_2" below) or as "root". "user_2" cannot run these clients, "root" can. I would like both of them to be able to run these clients. Below, is what happens ("user_1" is the user that started the X2Go session, it is also a "simple" user).
user_1> su user_2 Password: No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'
user_2> exit
user_1> su Password: root> xeyes <OK>
Can you tell me how to allow "user_1" to run graphical clients like xeyes, xterm, gvim, etc.?
Best regards,
Léa
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Hello Uli,
Thank you for your answer and for the explanations.
"ssh -X user_2@localhost" works fine indeed.
Uli> The problem is access to the xauthority file of user_1
I created a group "simple_users" and put "user_1" and "user_2" in that group. I changed the owner group of "/home/user_1/.Xauthority" to "simple_users" and set permissions to 660.
chown user_1:simple_users /home/user_1/.Xauthority chmod 660 /home/user_1/.Xauthority
Then I re-tried the experiment:
user_1> su user_2 Password:
I don't get the error that I reported in my first post (No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50').
Yet, when I run xeyes, I get an error:
user_2> xeyes No protocol specified Error: Can't open display ':50'
Best regards,
Léa
On 27/12/2019 4:17 PM, Ulrich Sibiller wrote:
You are switching users without passing the display authorization cookie. The easiest way to achieve this is probably using ssh: instead of executing "su user_2" call "ssh -X user_2@localhost".
The problem is access to the xauthority file of user_1 (the path is stored in the XAUTHORITY environment, usually /home/user_1/.Xauthority.). This file contains the cookie you need to access the display. As user_2 you are not allowed to read that file while as user root you can read it.
Uli
On Fri, Dec 27, 2019 at 3:45 PM Lmhelp1 wrote:
Hello,
I am using X2Go under Debian with Openbox. I have upgraded to Debian Buster, I didn't use to experiment the problem below with Debian Stretch. My problem is about running graphical clients (like xeyes, xterm, gvim, etc.) from a console logged in either as a "simple" user ("user_2" below) or as "root". "user_2" cannot run these clients, "root" can. I would like both of them to be able to run these clients. Below, is what happens ("user_1" is the user that started the X2Go session, it is also a "simple" user).
user_1> su user_2 Password: No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'
user_2> exit
user_1> su Password: root> xeyes <OK>
Can you tell me how to allow "user_1" to run graphical clients like xeyes, xterm, gvim, etc.?
Best regards,
Léa
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Léa,
You will need to grant user_2 the x bit on user_1's home directory so that they can access /home/user_1/.Xauthority. I think most distros set $HOME permissions to 700, you may try setting it to 711 or adding user_2 to the user_1 gid and using 710 (depending on your security model).
Cheers, Bryan
On Fri, Dec 27, 2019 at 11:30 AM Lmhelp1 <lmhelp1@orange.fr> wrote:
Hello Uli,
Thank you for your answer and for the explanations.
"ssh -X user_2@localhost" works fine indeed.
Uli> The problem is access to the xauthority file of user_1
I created a group "simple_users" and put "user_1" and "user_2" in that group. I changed the owner group of "/home/user_1/.Xauthority" to "simple_users" and set permissions to 660.
chown user_1:simple_users /home/user_1/.Xauthority chmod 660 /home/user_1/.Xauthority
Then I re-tried the experiment:
user_1> su user_2 Password:
I don't get the error that I reported in my first post (No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50').
Yet, when I run xeyes, I get an error:
user_2> xeyes No protocol specified Error: Can't open display ':50'
Best regards,
Léa
On 27/12/2019 4:17 PM, Ulrich Sibiller wrote:
You are switching users without passing the display authorization cookie. The easiest way to achieve this is probably using ssh: instead of executing "su user_2" call "ssh -X user_2@localhost".
The problem is access to the xauthority file of user_1 (the path is stored in the XAUTHORITY environment, usually /home/user_1/.Xauthority.). This file contains the cookie you need to access the display. As user_2 you are not allowed to read that file while as user root you can read it.
Uli
On Fri, Dec 27, 2019 at 3:45 PM Lmhelp1 wrote:
Hello,
I am using X2Go under Debian with Openbox. I have upgraded to Debian Buster, I didn't use to experiment the problem below with Debian Stretch. My problem is about running graphical clients (like xeyes, xterm, gvim, etc.) from a console logged in either as a "simple" user ("user_2" below) or as "root". "user_2" cannot run these clients, "root" can. I would like both of them to be able to run these clients. Below, is what happens ("user_1" is the user that started the X2Go session, it is also a "simple" user).
user_1> su user_2 Password: No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'
user_2> exit
user_1> su Password: root> xeyes <OK>
Can you tell me how to allow "user_1" to run graphical clients like xeyes, xterm, gvim, etc.?
Best regards,
Léa
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Hello Bryan,
Permissions (by default) are 755 for "/home/user_1/"...
Best regards,
Léa
On 27/12/2019 6:02 PM, Bryan Roessler wrote:
Léa,
You will need to grant user_2 the x bit on user_1's home directory so that they can access /home/user_1/.Xauthority. I think most distros set $HOME permissions to 700, you may try setting it to 711 or adding user_2 to the user_1 gid and using 710 (depending on your security model).
Cheers, Bryan
On Fri, Dec 27, 2019 at 11:30 AM Lmhelp1 <lmhelp1@orange.fr <mailto:lmhelp1@orange.fr>> wrote:
Hello Uli, Thank you for your answer and for the explanations. "ssh -X user_2@localhost" works fine indeed. Uli> The problem is access to the xauthority file of user_1 I created a group "simple_users" and put "user_1" and "user_2" in that group. I changed the owner group of "/home/user_1/.Xauthority" to "simple_users" and set permissions to 660. > chown user_1:simple_users /home/user_1/.Xauthority > chmod 660 /home/user_1/.Xauthority Then I re-tried the experiment: user_1> su user_2 Password: I don't get the error that I reported in my first post (No protocol specified xrdb: Resource temporarily unavailable xrdb: Can't open display ':50'). Yet, when I run xeyes, I get an error: user_2> xeyes No protocol specified Error: Can't open display ':50' Best regards, -- Léa On 27/12/2019 4:17 PM, Ulrich Sibiller wrote: > You are switching users without passing the display authorization > cookie. The easiest way to achieve this is probably using ssh: instead > of executing "su user_2" call "ssh -X user_2@localhost". > > The problem is access to the xauthority file of user_1 (the path is > stored in the XAUTHORITY environment, usually > /home/user_1/.Xauthority.). This file contains the cookie you need to > access the display. As user_2 you are not allowed to read that file > while as user root you can read it. > > Uli > > On Fri, Dec 27, 2019 at 3:45 PM Lmhelp1 wrote: >> Hello, >> >> I am using X2Go under Debian with Openbox. >> I have upgraded to Debian Buster, I didn't use to experiment the problem >> below with Debian Stretch. >> My problem is about running graphical clients (like xeyes, xterm, gvim, >> etc.) from a console logged in either as a "simple" user ("user_2" >> below) or as "root". >> "user_2" cannot run these clients, "root" can. >> I would like both of them to be able to run these clients. >> Below, is what happens ("user_1" is the user that started the X2Go >> session, it is also a "simple" user). >> >> user_1> su user_2 >> Password: >> No protocol specified >> xrdb: Resource temporarily unavailable >> xrdb: Can't open display ':50' >> >> user_2> exit >> >> user_1> su >> Password: >> root> xeyes >> <OK> >> >> Can you tell me how to allow "user_1" to run graphical clients like >> xeyes, xterm, gvim, etc.? >> >> Best regards, >> -- >> Léa >> >> _______________________________________________ >> x2go-user mailing list >> x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org> >> https://lists.x2go.org/listinfo/x2go-user _______________________________________________ x2go-user mailing list x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org> https://lists.x2go.org/listinfo/x2go-user
-
Bryan Roessler -
Lmhelp1 -
Ulrich Sibiller